Question about authentication methods

Martin Geisler mg at aragost.com
Sat May 1 11:15:41 UTC 2010


Jens Alfke <jens at mooseyard.com> writes:

> The problem with authenticating commits is that commits don’t have any
> notion of client and server. A commit just happens locally on a
> machine. The only feasible way to authenticate a commit is with a
> digital signature. Mercurial doesn’t have built-in support for this
> AFAIK, but there might be extensions that provide hooks to sign
> commits.

There is the gpg extension which lets you add a signature to a changeset
after the fact, e.g., to sign a release.

I made another extension which lets you embed signatures directly into
each changeset:

  http://bitbucket.org/mg/commitsigs/

I haven't updated or tried it in a while.

What is there works, but someone wanted to make it more general by also
supporting X509 certificates and not just PGP keys. So I'm not sure
about the format of the meta data, which means that you may not want to
run out and begin embedding signatures in all your changesets.

-- 
Martin Geisler

aragost Trifork
Professional Mercurial support
http://aragost.com/mercurial/



More information about the Mercurial mailing list